ICS-CERT Publishes 2 Schneider Advisories and Medical IOT Alert

Today the DHS ICS-CERT published two control system advisories for products from Schneider Electric. They also published a medical control system alert for a medical lab device from Miele.

Modicon Advisory

This advisory describes multiple vulnerabilities in the Schneider Modicon PLCs. The vulnerabilities were reported by David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc. Schneider has produced new firmware versions to mitigate two of the vulnerabilities and work arounds for the remaining vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Predictable value range from previous values - CVE-2017-6030;

• Use of insufficiently random values - CVE-2017-6026; and

• Insufficiently protected credentials - CVE-2017-6028

ICS-CER reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to spoof or disrupt Transmission Control Protocol (TCP) connections, sniff sensitive account information, and gain unauthorized access to a current web session.

Schneider has taken the unusual move of publishing separate Security Notification documents for each vulnerability (here, here, and here).

Wonderware Advisory

This advisory describes multiple vulnerabilities in the Schneider Wonderware InTouch Access Anywhere. The vulnerabilities were reported by Ruslan Habalov and Jan Bee of the Google ISA Assessments Team. Schneider has produced a new version to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-Site Request Forgery - CVE-2017-5156;

• Information Exposure - CVE-2017-5158; and

• Inadequate Encryption Strength - CVE-2017-5160

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to perform actions on behalf of a legitimate user, perform network reconnaissance, and gain access to resources beyond those intended with normal operation of the product.

The Schneider Security Bulletin reports a fourth vulnerability; Ability to escape out of remote InTouch applications and launch other processes. No CWE information is provided for the fourth vulnerability. Schneider also reports that the researchers have verified the efficacy of the fix.

Miele Alert

This alert describes a publicly reported path traversal vulnerability in the Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings. ICS-CERT does report that Jens Regel publicly disclosed this vulnerability without providing a link to the disclosure on the Full Disclosure web site.

The Miele press release on this vulnerability minimizes the criticality of the problem (perhaps legitimately so). What is more interesting is their comment on their failure to respond to Regel’s attempt at responsible disclosure:

“The technical aspects in this case are entirely separate from the fact that the Miele company failed to respond to several notifications regarding this issue. Executive Directors view this as a serious shortcoming, the details of which have already been investigated in depth with a view to preventing any repeat occurrence in future. They stress that they would like to thank Jens Regel, the source of this evidence, for his information – and for his perseverance.”

While the initial disclosure response was deficient, this certainly reflects a more helpful attitude of the upper management of the company.